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Abstract 

Based on the fact that the entanglement can not be created locally, we pro- 
posed a quantum bit commitment protocol, in which entangled states and 
quantum algorithms is used. The bit is not encoded with the form of the 
quantum states, and delaying the measurement is required. Therefore the 
protocol will not be denied by the Mayers-Lo-Chau no-go theorem, and un- 
conditional security is achieved. 
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Started from the original idea of Wiesner [1], quantum cryptography is playing an essen- 
tial role in nowadays research on quantum information. Besides the well-known quantum 
key distribution protocol [2-4], another crucial primitive in quantum cryptography is quan- 
tum bit commitment (QBC). As shown by Yao [5], a secure QBC scheme can be used to 
implement a secure quantum oblivious transfer scheme [6,7]. And Kilian [8] has shown 
that, in classical cryptography, oblivious transfer can be used to implement two-party se- 
cure computations [9]. Many other cryptographies, such as quantum coin tossing [2,10-12] 
and quantum oblivious mutual identification [13], can also be constructed over QBC. All 
these cryptographies are very useful in the so-called "post-cold- war era" , with a wide range 
of economic, financial and even military applications. In classical cryptography, these tasks 
can only be done through trusted intermediaries. Otherwise some unproven computational 
assumptions must be invoked, such as the hardness of factoring, which can easily be bro- 
ken when quantum computer becomes practical [14]. Therefore people hope that quantum 
cryptography can get rid of those requirements, and the same goals can be achieved using 
the laws of physics alone. However, Mayers, Lo and Chau have claimed that unconditionally 
secure QBC scheme can never be achieved in principle [15,16], and all the protocols formerly 
purposed [5,17] are insecure. By delaying the measurement on quantum states, the partici- 
pants can always succeed in cheating with Einstein-Podolsky-Rosen(EPR)-type of attacks, 
or the so-called Mayers attacks. This discovery is called the Mayers-Lo-Chau no-go theorem 
or MLC theorem. During the past half decade, attempts on fixing the problem with classi- 
cal BC protocols (such as the classical computational BC scheme [18,19] or the two-prover 
BC scheme [20]) are also proven to be failed later [21,22]. Some protocols have to rely on 
relativity assumptions [23] or reduce to conditionally secure [24]. The failure of QBC seems 
to bring a fatal limitation to the power of quantum cryptography. 

But in this paper, we will propose a new QBC protocol which can not be denied by 
the MLC theorem. EPR attacks will no longer succeed and unconditional security can be 
achieved. 

A bit commitment scheme between two parties (Alice and Bob) generally includes two 
phases. In the commit phase, Alice has in mind a bit (b = or 1) which she wants to commit 
to Bob. So she sends him a piece of evidence. Later, in the unveil phase, Alice announces 
the value of b, and Bob checks it with the evidence. A protocol is said to be binding if Alice 
cannot change the value of b after the commit phase, and is said to be concealing if Bob 
cannot tell what b is before the unveil phase. A secure protocol needs to be both binding 
and concealing. 

The argument of the MLC theorem is based on the Yao's general model of QBC [5]. 

According to this model, previously proposed protocols that proven to be insecure are all 

starting with the following steps: Alice prepares a state |0) = ^J~\~j \atj) £g> \(3j) if b = 

j 

or |1) = Yl, \f^j\ a 'j) ® if & = 1, and sends the second register to Bob. Then Alice 

j 

is supposed to carry out measurement on the first register to make it collapse to jctfe) or 
\a' k ) according to the value of b. And Bob measures the second register to verify Alice's 
commitment. But in these protocols, the entanglement inside the quantum states is not 
fully utilized. Any classical information that the participants need to announce during 
the commit phase required by the protocol can all be calculated without the help of the 
entanglement. That is, the calculation involved is not thoroughly a quantum algorithm. 
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The value of b in fact depends only on the form of the first register, and not the form of 
the entire entangled state. As we know, entangled quantum states have the power to carry 
out parallel computations, which is much more powerful than classical algorithm. Therefore 
it is not surprise to see that by making full use of the entangled states, Alice can execute 
the protocol successfully even she delays her measurement, just as if she is executing the 
commitment with 6 = and 6=1 simultaneously. Then in the unveil phase, she can apply 
local transformation on the first register to map the state between |0) and |1). This is the 
reason why Alice can cheat in these protocols [15,16,25]. 

So we can see that, to propose a secure QBC protocol that can stand this so-called Mayers 
attack, we must make full use of the computation power of the entangled states. The effect 
of the entanglement must be taken into consideration throughout the commitment, thus 
quantum algorithms must be involved. So the outline of our new protocol goes as: In the 
commit phase, Alice and Bob first share some certain entangled states which can solve a 
certain problem with quantum algorithm; Then Alice shows Bob that she has indeed solved 
the problem. Solving the problem should be able to force Alice to measure a minimum 
set of states even with the most efficient quantum algorithm, while the other states can be 
left unmeasured. Then we correlate the commit bit b with the states according to whether 
the states is measured or not. In the unveil phase, Alice should show Bob that there is a 
certain number of states which are indeed unmeasured. A state which is already measured 
and collapsed can not be used to fake a state which is still entangled with another state. 
Therefore the security of the commitment can be guaranteed. 

For concreteness, in the following we shall use four quantum states of photon with differ- 
ent polarizations in the description. But in fact the protocol can be constructed on any other 
type of nonorthogonal states as well. Here we denote the four states of light polarization 
of angles 0°, 45°, 90° and 135° as |0,0), |1,0), |0, 1) and |1,1) respectively. We will also 
consider the ideal setting only, where the quantum communication channel is supposed to 
be error-free. Before we get to the protocol, let us first consider the following problem: 

Problem P.- 
Alice and Bob execute the following procedure: 

(1) Alice sends Bob a series of photons {(3i\i E S} where S = {1, s} is a set of natural 
numbers; 

s 

(2) DO Bob randomly picks a bit p\ and measures in the rectilinear basis (0° and 90° 

i=l 

polarized) if p\ — 0, or the diagonal basis (45° and 135° polarized) if p\ — 1. The outcome 
is denoted as \p[, q'^; 

(3) Bob announces to Alice a series of "fake" results {\Pi,q")p \i E S}, which needs not 
to be agreed with {\p' i: g-)^ \i E S}. He can choose to apply three types of lies: 



lie a : 


p'l 


1 A // 




lie b : 


v'l 


= Vi A q'l 


= & 


lie c : 


p'l 


= V* A q'l 





Let L a = {i E S\ \plq'{). = L b = {i E S\ = |>U%}, and L c = 

{i E S\ \p", q")p = n g-) /3 }, with f a = \L a \/s, f b = \L b \/s and f c = \L C \ /s denoting the 
frequencies of Bob applying each type of lies. Suppose that < f a , f b , f c < 1/4 and f b > f c . 
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Now the question is: how can Alice detects a set of lies D such that D C L a U L U L c 
and |D|~(/ a /2 + / 6 /4 + / c /4)s? 

This problem can easily be solved by the following "semi-classical" method. Alice can 
determine the states of all the s photons beforehand, i.e. in step (1) she prepares every 
photon fa in a pure state \pi, q^) p non-entangled with any other systems. Then she sets 
D = {i G S\ \p", q") p = \pi, n qi)p} after Bob announces {\p", q")p \i G S} in step (3). Now let 
us evaluate the size of this set D. Since p\ is randomly chosen by Bob, for half of the states 
Bob will by chance choose the correct basis p\ — Pi- Among this half, whenever Bob applies 
a lie a, it will be detected by Alice since she knows that Bob can never find g« as n qi in his 
measurement once he uses the correct basis. But no lie b and lie c will be detected, since 
when Bob announces p" — n p'i =n Pi, Alice does not know what the result should be when 
\pi, qi)p is measured in the wrong basis p". Meanwhile for the other half of states that Bob 
has measured with the wrong basis p\ = n Pi, the probabilities of finding q[ = q^ and q[ = n qi 
are both 1/2. Therefore when Bob applies lie b or lie c, p'( = ^p\ becomes the correct basis. 
The probability for such a state to satisfy \p'l-,q'l)p = \p%, ^Qi) p is then 1/2. But no lie a 
will be detected in this case since p" = p' { is the wrong basis now. So we can see that, the 
number of lies that Alice totally detects is \D\ ~ (/a/2 + /&/4 + / c /4)s. That is, such a set 
D is just what is required by the problem. 

But with full quantum algorithms we can solve the problem more efficiently Alice can 
prepare every photon fa as a mixture entangled with another system ctj. For example, in 
step (1) she can prepare the state of the whole incremental system as = \aii <g> fa) = 
cos#j \x) a <8> |0, qi)p + sin#j \y) a ® |1, q^p, where \x) a and \y) a are orthogonal to each other, 
qi E {0, 1} and 9i G (0, 7r/2). She sends $ to Bob, and after step (3) she divides S into two 
subsets: M = {i G S\q" = n qi} and U — {i G S\q" = qi}. Due to the specific form of \ipi), 
Bob is more likely to find as q,i than n gj no matter which basis he uses. Therefore when 
Alice finds Bob announcing q" = n qi, she knows that he is more likely to be lying. So for 
the states whose indices are included in U, she can just leave them unmeasured. And for 
Vi G M, She measures Oii in the basis (\x) a , \y) a ). She sets pi = if she finds \x) a or pi = 1 
if she finds \y) a - Then she sets D = {i G M\pi = p'-}. Detailed analyses can prove that both 
D C L a U Lb U L c and \D\ ~ (/ a /2 + /b/4 + / c /4)s are automatically satisfied. Calculations 
also show that |M| ~ [1/4 + (f a + f c )/2]s when Bob chooses p[ randomly. Thus we see that 
Alice can detect D by measuring only [1/4 + (f a + f c )/2]s states. In the "semi-classical" 
method described above, Alice's action in step (1) is equivalent to preparing the states in an 
entangled form as well at first , but then measures all the s entangled states \ipi) to make j3i 
collapse into non-entangled pure states before Bob measure them. So we can see now with 
the full use of the computational power of the entangled states, Alice manages to measure 
less states than the "semi-classical" method while the same goal is achieved. 

This quantum algorithm is already the most efficient one. One can verify that preparing 
\ipi) in other forms will have to measure more states when detecting D. For example, if Alice 
prepares \ipi) = jctj <8> /%) = cos^ \x) a <8> (0,0)^ + sin^ \y) a <g> |0, l)p and always measures 
a.i in the basis which can force fa to collapse to p", she will need to measure s/2 states to 
detect D. Or if she prepares \ipi) = jctj ® fa) = cos Qi \x) a <8> |0, 0)^ + sin^j \y) a <8> |1, l)p and 
always measures those that satisfy \p",q")p = |0, 1)^ V \p",q")p = |1,0)^, she will need to 
measure [1/4 + (f a + fb)/2]s states. All these numbers are larger than [1/4 + (/„ + / c )/2]s 
given f a , f b , f c < 1/4 and f b > f c . 
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So if we build a protocol in which Alice is required to solve Problem P while only 
[1/4 + (f a + f c )/2]s states are allowed to be measured, she has to follow the above quantum 
algorithm honestly. Now let us give a parameter c° to each state \ipi) {i G S — D), and set 
c° = if i G U which means «j is unmeasured by Alice, or c° = 1 if i G M — D which means 
an is already measured by Alice. Thus after solving Problem P, a string c° = (c^c^.-.c^) 
(n = \S — D\) is created. Then we can adopt the codeword method in BCJL QBC protocol 
[17], encoding a codeword with c° to make it oriented to the commit bit b. So the entire 
description of our QBC protocol is: 

The commit protocol: (commit(b)) 

s 

(CI) Alice and Bob first agree on a security parameter s, then DO Alice picks 9i G 

i=i 

(0, 7r/2) (9i needs not to be different for different i. For example, one can fix ^ = 7r/4 
throughout the whole protocol) and randomly picks qi G {0, 1}, and prepares an entangled 
state = jctj <S> Pi) = cos 9i \x) a ® |0, qi) ^ + sin 6^ \y) a <g> |1, q^. Then she sends to Bob 
and stores af, 

(C2) Bob chooses a number s' (0 ^ s' < s) and randomly divides 5 = {l,...,s} into 
two subsets S' and S" such that \S'\ = s', 5" = S - S'. Then for Vi G 5' Bob stores A 
unmeasured. And for Vi G 5"' Bob randomly picks a basis and measures The outcome 
is denoted as 

(C3) Bob chooses / a , / c (0 < f a , f c < 1/4 and / 6 > / c ) and announces to Alice 
the "fake" results g-% |i G S} such that / a = (\L a \ + s'/4)/s, / 6 = (|L 6 | + s'/4)/s and 
/ c = (|L C | + S '/4)/ S , where L a = {i G S"| = |pj, W> U = {i G S"| tf), = 

PK, and L c = {i G S"| 9,'% = | V 4 , 

(C4) Alice divides S into two subsets: M = {i G S\q" = n qi} and = — 
For Vi G M, She measures a, in the basis (\x) Q , |y) a ). She sets Pi = if she finds |x) Q or 
Pi — 1 if she finds |y) Q . Then she sets D = {i G M]pj = p" } announces it to Bob; 

(C5) Bob sets D s / = D fl S'. Then he measures $ (Vi G £> s /) in the basis p\ = p" 
and denotes the outcome as Ip^q'^p- He agrees to continue only if {i G D s > \ \p'^ q'^ = 
\Pi, Qi)p} = ^DcL a UL b UL c US' and \D\ ~ (/ /2 + / 6 /4 + / c /4)s; 

(C6) Alice sets c° = if i G U or c° = 1 if i G M — D. Thus she obtains a binary string 
c° = (c?4.4) (n =\S-D\); 

(C7) Alice and Bob execute the BCJL protocol [17] by using c° to encode the codeword 
(c° itself is not announced to Bob). That is: 

(C7.1) Bob chooses a Boolean matrix G as the generating matrix of a binary linear 
(n, k, d)-code C and announces it to Alice, where the ratios d/n and k/n are agreed on by 
both Alice and Bob; 

(C7.2) Alice chooses a non-zero random n-bit string r = (rir 2 ...r n ) G {0, l} n and 
announces it to Bob; 

(C7.3) Now Alice has in mind the value of the bit b that she wants to commit. Then 
she chooses a random n-bit codeword c = (cxc 2 ...c n ) from C such that c r = b (Here 

n 

cQr = 0q An); 
i=i 

(C7.4) Alice announces to Bob c' = c © c°. 
The unveil protocol: (unveil(b,c,c°, \ipi))) 
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(Ul) Alice announces b, c, c°, {qi,0i\ i G S} and {pi\i G M} to Bob; 
(U2) Alice sends the quantum registers {oti\i G U} to Bob; 

(U3) Bob finishes the measurement on {ai\i G U} and G S"} to check Alice's 

announcement; 

(U4) Bob checks \M\ ~ [1/4 + (/ Q + / c )/2]s and (M - D) D L b = 0; 
(U5) Bob checks b = cQr and (c is a codeword). 

Unlike those described in Problem P, in step (C2) we allow Bob to choose a subset 
S", and delay the measurement on $ (Vi G S"). For the states in this set, since Bob has 
to announce \p", q") ^ randomly before he obtains \p[, q'^g, it is equivalent to lie with the 
frequencies f a — fb — f c — 1/4 among the set. Thus by choosing s' properly, Bob can 
still control the total lying frequencies f a , f b and f c , as those described in step (C3). The 
purpose of S' is to enhance Bob's chance on catching Alice cheating in steps (C5) and (U3). 
However, the protocol is still valid even if Bob chooses S' = 4>. 

The purpose of step (U3) is to make sure that Alice does not shift the bits in string c° 
from 1 to 0. In another word, it is to check whether Alice has already measured a state a, 
to make $ collapse, but still tries to say that the two states are left entangled. There are 
many type of measurement that Bob can perform to catch this kind of cheating. When both 
the two registers a, and in \ipi) are not measured before (i.e. i G U D S f ), Bob can simply 
sort them by $i and q^ and then measure the amount of entanglement [26] between them. 
Since local transformations will not affect the entanglement, Alice can not make a measured 
ctj entangle with $ without the help from Bob. So if the result of Bob's measurement turns 
out to be zero or much different from the expected value calculated from the form of 
Alice announced, Bob should reject this commitment. 

For the other states where one of the registers of is already measured in the commit 
phase, Bob can use the form of \ipi) Alice announced to calculate the expected state |e») to 
which the other register of \ipi) should collapse. Then he measures this register in the basis 
(ki) , As we know, different measured results of one of the registers will cause the other 

register to collapse to different states, and these states are not orthogonal to each other when 
9i 7^ A 6i 7^ 7r/2. Therefore if Alice has not followed the protocol honestly, the unmeasured 
register will have a non-zero probability to be found as \ei) ± by Bob. For instance, suppose 
Alice has formerly prepared a state as | ipi ) = |aij ® $„) = l/y/2(\x) a <S>\0, 0)o+|y) a <8>|l, 0)a). 
And in step (C3) Bob announces \Pi Q) q'i Q ) ^ = 1 1 , 1 ) ^ - Alice will then include the index i 
of this state in set M and measures a io in the basis (\x) a , \y) a ). Suppose that she obtain 
\x) a in her measurement. So she will not include i in set D. Now since i G M — D, she 
should set c?„ = 1. However, the dishonest Alice wants Bob to believe c? = 0, so she must 
send Bob a fake state 6ii . But she does not know the result of Bob's measurement on f} io . 
Since she has found ai as \x) a in her measurement, there are three possibilities: Bob has 
found Pi as (0,0)^, 1 1, 0)^, or Then a io has collapsed to a/2/3 \x) a + a/1/3 \y) a , 

a/1/3 \x) a + a/2/3 \y) a , or \x) a respectively. If she prepares |aij ) = \x) a and sends to 
Bob, chances are that Bob has formerly obtained \p' io , q' io ) ^ = (0,0)^ in step (C2) so he 

is expecting \a io ) = a/2/3 \x) a + a/1/3 \y) a . Then when he measures a io in the basis 
(y/2/3\x) a + a/T/3 \y) a , -a/T73 \x) a + y/2/3\y) a ), he stands 1/3 chances to finds a io as 
— a/1/3 \x) a + a/2/3 \y) a and catches Alice cheating. In this case, the probability for Alice 
to cheat successfully for this single bit is f — 2/3. As the minimum distance between 
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codewords is d, to keep the total number of in c° unchanged, a dishonest Alice will have to 
shift at least d/2 bits of c° from 1 to to fulfill her cheating. Therefore the total probability 
for Alice to successfully cheat this way without being caught is less than max(/) d / 2 . Since 
d/n is fixed to be a constant in the protocol and n oc s, this probability drops exponentially 
to zero as the security parameter s increases. 

The purpose of step (U4) is to make sure that Alice does not shift the bits in string 
c° from to 1. In our protocol, although Alice can shift a bit c° from into 1 simply by 
measuring a iy the total number of 1 in c° is already restrained to be about \M — D\ ~ 
(1 — f b + / c )s/4. Since \M\ is already the minimum of the number of states that Alice has 
to measure to solve Problem P, if she shift more bits from into 1, there will be too much 
1 in c°. So this kind of cheating is easy for Bob to find out. Also, solving Problem P with 
— \ca <8> Pi) = cos$i \x) a <8> |0, qi)g + sin#j \y) a ® |1, qi) ^ has a characteristic property: all 
lie b among the set of states that Alice measured will be detected. This is because when 
Pi is found as |0, ~'q , j) /3 (or |1, ~'q , j) /3 ) in Bob's measurement, cej will collapse to \y) a (or \x) a 
respectively). If Bob applies lie b by announcing it as [l, -1 ^^ (or |0, n g i ) /3 ), Alice is then 
expecting to find «i as \x) a (or \y) a ) in her measurement. Since \x) a and \y) a are orthogonal 
to each other, so when Alice measures only the states that satisfy q" = n qi, lie b will be 100% 
detected and none of them will be left in set M — D. Thus if Bob finds (M — D) n L b ^ <fi 
in step (U4), he knows that Alice must have measured some states which do not satisfy 
q" = n gi, or even has not prepared \ipi) in the correct form. 

Therefore if Alice alters much of the bits in c°, she will inevitably be caught. Nevertheless, 
due to the fluctuation of random distribution, we can not expect the size of D detected by 
Alice to be exactly equal to (/ a /2 + /b/4 + f c /4)s. So if Alice alters only few bits of c°, 
she may escape from being caught. But the codeword method in the BCJL protocol can 
avoid this situation. That is, since the minimum distance between any legal codewords is 
d, altering only a small number of bits of c° will not be enough to change a codeword into 
another legal codeword. Therefore this way of cheating will make no sense to Alice at all. 

Now we will show that the protocol is also secure against Bob. During the commit phase, 
since is kept secret by Alice, Bob can not know how to divide S into subsets M and U . 
Though he knows that in the n-bit string c° (n = \S — D\ ~ (1 — / a /2 — / 6 /4 — / c /4)s), there 
are d° = \M — D\ ~ (1 — /b + / c )s/4 bits in c° take the value 1, and the other (n — d°) bits are 
0, he does not know the position of these bits. Thus the possible number of c° is Qj,). Then 
Theorem 3.4 in Ref. [17] applies. Briefly, as d° > 7 n (7 = H~ 1 (l/2) ~ 0.1100279), we have 
G°) > (77J ^ 2 n / 2 /y / n. Divide by 2 n ~ k (the number of syndromes of the code C), and we 
get: the number of codewords at Hamming distance d° has a lower bound 2 k ~ n ^ 2 /y/n, which 
is exponentially large in n as long as we choose k/n > 1/2 in step (C7.1). Therefore Lemmas 
3.5 and 3.6 of Ref. [17] are also valid for our protocol. That is, Bob has exponentially small 
amount of Shannon information on the value of b before the unveil phase. 

So we can see that our protocol is both unconditionally binding and concealing, therefore 
it is unconditionally secure. Briefly, the protocol evades the MLC-theorem for the following 
reason. There are two tasks for Alice to accomplish during the commit phase: Task 1: solve 
Problem P; and Task 2: commit the bit b. The purpose of Task 1 is to prepare the input 
states for Task 2. The form of Task 2 is quite similar to the BCJL QBC protocol. However, 
there is a critical difference: the encoding method. Unlike any protocols that can concluded 
by the Yao's general QBC model, in our protocol, whether a state \ipi) = [ccj <g> Pi) is encoded 
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as or 1 is not depended on the form of aij, but on whether \ipi) is an entangled state or not. 
If can be written as jctj) <g> (which means that it is a non-entangled product state) we 
take C® = 1, else we take c° = 0. Since it is a basic principle that the entanglement between 
two systems ctj and $ can not be created locally, there does not exist any local unitary 
transformation for Alice to map a state \ipi) = \ai) <g> into an entangled state. Of course 
if Alice can maintain every input state of Task 2 in an entangled form = \aii <g> she 
can unveil c° with any value she like, since such a state is free to map into = \ai) <E> 
But to accomplish Task 1, Alice inevitably has to measure at least a certain number of 
these states to break down the entanglement between $ and any other systems and make 
collapse to jctj) <8> (Here ctj can represent any systems not on Bob's side, including 
the environment). And this number sets the maximum of the allowed number of 1 in the 
codeword string c° in our protocol. Therefore, no LOCAL unitary transformation will be 
available for Alice to map the state \b) = |t/>i) <S> l^) <S> ••• <S> \ip n ) hito | n 6). By this means, the 
cheating strategy in the MLC theorem can not work any more, and unconditionally secure 
is achieved. Full mathematical proof and detailed discussion on the limitation of the MLC 
theorem will be supplied elsewhere. 

Thus by using entangled states to run quantum algorithms, we propose an uncondi- 
tionally secure quantum bit commitment protocol. Therefore all the other cryptographies 
that base on bit commitment, such as unconditionally secure quantum oblivious transfer, 
two-party secure computations, quantum coin tossing and quantum oblivious mutual iden- 
tification are then straight forward. The potential of quantum cryptography meets a great 
development. 
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